[Owasp-modsecurity-core-rule-set] modsecurity - trouble with SecRequestBodyAccess

Fri, 03 Jul 2015 01:42:05 -0700 

helo,

Server - Ubuntu 14 LTS | Apache/2.4.7 | modsecurity 2.7.7-2

I was enabled modsecurity in DetectionPnly mode - default configuration from 
Ubuntu.

On our server we have a few site, CMS (Joomla, wordpress) and own CMS.
All of them work with WYSWIG editors.

When I set SecRequestBodyAccess On and try update or create article,
there is a lot of errors, especially SQL-injecttion and XSS.

But I only update article, its no a crime :)

Look like modsecurity treats all html tags like SQL or XSS attack,
is there any special module for that or parser?

HELP ME, PLEASE :)

tom kazm

example of logs from apache2 errors



[Fri Jul 03 10:14:05.628018 2015] [:error] [pid 28133:tid 139652430276352] 
[client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ 
]*(([^a-z0-9~_:\\\\' ])|(in)).+?\\\\(.*?\\\\))" at ARGS:art_lid. [file 
"/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"]
 [line "506"] [id "973335"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] 
[data "Matched Data: \\x22> <tbody> <tr> <td valign=\\x22top\\x22> <h5 
style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0) found 
within ARGS:art_lid: <p> </p> <table class=\\x22contentpaneopen\\x22> <tbody> 
<tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span 
style=\\x22color: rgb(128,0,0)\\x22><a 
href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22
 target=\\x22_blank\\x22><span style=\\x22color: rgb(128,0,0)\\x22>Wybierasz 
si\\xc4\\x99 za granic\\xc4\\x99?..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] 
[accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag 
"WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag 
"PCI/6.5.1"] [hostname „XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id 
"VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.628575 2015] [:error] [pid 28133:tid 139652430276352] 
[client 192.168.20.129] ModSecurity: Warning. Pattern match 
"(?i:[\\"\\\\'].*?\\\\)[ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?\\\\()" at 
ARGS:art_lid. [file 
"/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"]
 [line "508"] [id "973334"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] 
[data "Matched Data: \\x22contentpaneopen\\x22> <tbody> <tr> <td 
valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span 
style=\\x22color: rgb(128,0,0)\\x22><a 
href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22
 target=\\x22_blank\\x22><span style=\\x22color: rgb( found within 
ARGS:art_lid: <p> </p> <table class=\\x22contentpaneopen\\x22> <tbody> <tr> <td 
valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span 
style=\\x22color: rgb(128,0,0)\\x22><a href=\\x22http://www.emigr...";] [ver 
"OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag 
"OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag 
"OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname 
"XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.628689 2015] [:error] [pid 28133:tid 139652430276352] 
[client 192.168.20.129] ModSecurity: Rule 7f036a3bc248 [id "973334"][file 
"/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"][line
 "508"] - Execution error - PCRE limits exceeded (-8): (null). [hostname 
"milujciesie.org.pl"] [uri "/admin/index.php"] [unique_id 
"VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.629212 2015] [:error] [pid 28133:tid 139652430276352] 
[client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ 
]*(([^a-z0-9~_:\\\\' ])|(in)).+?[.].+?=)" at ARGS:art_lid. [file 
"/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"]
 [line "510"] [id "973333"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] 
[data "Matched Data: \\x22> <tbody> <tr> <td valign=\\x22top\\x22> <h5 
style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a 
href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option= found within 
ARGS:art_lid: <p> </p> <table class=\\x22contentpaneopen\\x22> <tbody> <tr> <td 
valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span 
style=\\x22color: rgb(128,0,0)\\x22><a 
href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22
 target=\\x22_blank\\x22><span st..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] 
[accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag 
"WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag 
"PCI/6.5.1"] [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id 
"VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.629414 2015] [:error] [pid 28133:tid 139652430276352] 
[client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ 
]*(([^a-z0-9~_:\\\\' ])|(in)).+?[.].+?=)" at ARGS:art_text. [file 
"/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"]
 [line "510"] [id "973333"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] 
[data "Matched Data: \\x22><a 
href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option= found within 
ARGS:art_text: <p><span style=\\x22color: rgb(128,0,0)\\x22><a 
href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22
 target=\\x22_blank\\x22><img align=\\x22left\\x22 alt=\\x22\\x22 
src=\\x22https://milujciesie.org.pl/upload/articles/r_u_c_k_i/PL/logo_IDE.png\\x22
 /></a>Na stronie <a href=\\x22http://www.emigracja.chrystusowcy.pl/\\x22 
target=\\x22_blank\\x22>Instytutu Duszpasterstwa Emig..."] [ver 
"OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag 
"OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag 
"OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname 
"XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.631654 2015] [:error] [pid 28133:tid 139652430276352] 
[client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[ 
/+\\\\t\\"\\\\'`]style[ 
/+\\\\t]*?=.*([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))"
 at ARGS:art_lid. [file 
"/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"]
 [line "520"] [id "973316"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] 
[data "Matched Data:  style=\\x22text-align: center\\x22><span 
style=\\x22color: rgb(128,0,0)\\x22><a 
href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22
 target=\\x22_blank\\x22><span style=\\x22color: rgb(128,0,0)\\x22>Wybierasz 
si\\xc4\\x99 za granic\\xc4\\x99?</span></a></span><br /> <a 
href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22
 target=\\x22_blank\\x22>Szukasz Mszy \\xc5\\x9awi\\xc4\\x99tej w 
j\\xc4\\x99zyku polskim? <span style=\\x22color: rgb( found..."] [ver 
"OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag 
"OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag 
"OWASP_TOP_10/A2"] [tag [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] 
[unique_id "VZZETQoKASsAAG3lzAAAAADL"]

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to